• SparkKitty malware targets crypto wallets by scanning users' image data for seed phrases, posing a significant risk to mobile devices.
• Compromised apps, such as crypto price trackers and messengers, spread SparkKitty, with one app reaching over 10,000 downloads before removal.
• Kaspersky warns against storing seed phrases digitally, as malware like SparkKitty and similar threats can steal sensitive data, including crypto passwords.

SparkKitty, a dangerous new malware, is targeting mobile devices to compromise crypto wallets. It searches through users’ image data to uncover and steal seed phrases.

In recent cases, the malware infected phones through compromised apps, with several bait programs catering to lure crypto users. Thankfully, app store moderation has removed many of SparkKitty’s attack vectors.

How SparkKitty Targets Crypto Wallet Apps

Popular security firm Kaspersky identified this new malware today after months of observation across different mobile operating systems.

Earlier in February, the firm discovered SparkCat, an earlier iteration of this malware. After the previous discovery, the malicious developers repackaged this trojan through new apps.

Our researchers uncovered #SparkKitty, a stealthy Trojan targeting both #iOS and #Android devices.

It captures images and device data from infected phones and transmits them to the attackers. The Trojan was embedded in apps related to #crypto, gambling, and even a trojanized… pic.twitter.com/2CjjSwcpeo

— Kaspersky (@kaspersky) June 24, 2025

According to the company’s full report, this piece of malware is specifically focused on targeting crypto users, especially in China and Southeast Asia.

Hackers embedded SparkKitty into crypto-related apps, like price trackers and messengers with crypto-buying functionality. One such compromised messenger, SOEX, was downloaded over 10,000 times before removal.

SparkKitty’s operators also branched out to include casino apps, adult sites, and fake TikTok clones. Even if a user downloaded a contaminated app, the malware wouldn’t automatically start looking for crypto.

Instead, the app would ostensibly function normally, asking for access to users’ photos. It would continue appearing normal even after gaining this permission.

In other words, this malware would repeatedly scan image data for signs of a crypto seed phrase, double-checking the compromised device periodically.

Kaspersky’s researchers have several reasons to believe that SparkKitty is an upgraded SparkCat. For example, they share several debug symbols, code construction, and even a few compromised vector apps.

However, SparkKitty is more ambitious than SparkCat. The earlier malware would focus on penetrating crypto security, while the upgraded version can compromise many types of sensitive data.

🚨 SlowMist TI Alert 🚨

A new malware named #SparkKitty that steals all photos from infected iOS & Android devices — searching for crypto wallet seed phrases.

⚠️ Delivered via:
🔸 "币coin" (App Store)
🔸 "SOEX" (Google Play, 10K+ installs, now removed)
🔸 Casino apps, adult… pic.twitter.com/47WDc8l6tQ

— SlowMist (@SlowMist_Team) June 24, 2025

Nonetheless, SparkKitty’s main priority is still in uncovering seed phrases.

Overall, the best caution for users is never to store seed phrases digitally. Don’t even take a photo of it.

There’s no shortage of recent scams and malware that can compromise this password, thereby allowing attackers to steal all your crypto. It’s important not to give sketchy apps access to your devices, but it’s doubly vital to protect your seed phrase.